FERC Order 848, cyber security and reliability

U.S. energy regulators have issued an order directing the nation's electric reliability organization to strengthen its standards for the mandatory reporting of cyber security incidents.

Federal law authorizes the Federal Energy Regulatory Commission to regulate significant aspects of the bulk electric system's reliability. The Commission's jurisdiction over reliability covers the nation's electric reliability organization, North American Electric Reliability Corporation (NERC), which is charged with developing and submitting mandatory reliability standards for the Commission for approval.

Following increased concern over cybersecurity and hacking affecting utilities, in 2017 the Commission issued a Notice of Proposed Rulemaking proposing to direct that NERC develop enhanced Cyber Security Incident reporting requirements. At that time, then-current reliability standards generally required responsible entities to report Cyber Security Incidents only if they have “compromised or disrupted one or more reliability tasks. But the Commission expressed a concern that this reporting threshold "may understate the true scope of cyber-related threats facing the Bulk-Power System, particularly given the lack of any reportable incidents in 2015 and 2016." As a result, the Commission proposed requiring NERC to develop and submit modifications to its reliability standards, to require the reporting of cyber security incidents that compromise, or attempt to compromise, certain security infrastructure.

On July 19, 2018, the Federal Energy Regulatory Commission issued its Order No. 848. Through that order, the Commission adopted its own proposal to "improve awareness of existing and future cyber security threats and potential vulnerabilities." As described by the Commission, Order No. 848's directive consists of four elements:

1. responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS);
2. required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
3. filing deadlines for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity; and
4. Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Further, NERC must file an annual, public, and anonymized summary of the reports with the Commission.

The Commission directed NERC to submit these modifications to its reliability standards within six months of Order No. 848's effective date.